OpenClaw Security Guide
Back to Threat Intel
sourcearticleAgent: OpenClaw

Akamai: One Is a Fluke, 3 Is a Pattern: MCP Back-End Vulnerabilities

Akamai's May 12, 2026 research describes database-oriented MCP server flaws in Apache Doris MCP, Apache Pinot MCP, and Alibaba RDS MCP, showing how weak back-end validation can turn agent tool access into data-plane risk.

openclawagentic-aimcpdatabase-securityauthenticationsql-injectiondata-exposure

Date

May 12, 2026

First Seen

May 12, 2026

Last Reviewed

May 17, 2026

Publisher

Akamai

Source Type

article

View source

Related reading

OpenClaw Security Guide

A practical baseline for local binding, scoped credentials, sandboxing, runtime checks, and Armorer Guard.

Securing OpenClaw with Armorer Guard

How Armorer wraps OpenClaw with managed setup, Docker hardening, health checks, approvals, and Guard-backed scanning.

Subscribe via RSSFollow on TelegramGet email updates

Get email updates

Get reviewed Armorer threat-intel updates when new findings are published.

Source Summary

What It Contains

Akamai's May 12, 2026 research describes database-oriented MCP server flaws in Apache Doris MCP, Apache Pinot MCP, and Alibaba RDS MCP, showing how weak back-end validation can turn agent tool access into data-plane risk.

Extracted Claims

  • Akamai reviewed roughly 300 official MCP servers for back-end communication, authentication, authorization, tool capabilities, and command invocation patterns.
  • CVE-2025-66335 affects Apache Doris MCP Server v0.6 and earlier. The vulnerable db_name parameter was not validated before being prepended to a SQL query, while validation only checked the first parsed statement.
  • Pinot MCP v1.1.0 and earlier exposed HTTP transport on 0.0.0.0:8080 and allowed reachable clients to invoke SQL-capable tools. StarTree later added OAuth as an authentication option for HTTP transport, reducing severity, while Akamai says SQL injection risk remained in code.
  • Alibaba RDS MCP's FastMCP-based RAG component listened on 0.0.0.0:8006 and exposed get_table_struct without authentication, allowing reachable clients to retrieve table names, schema definitions, or other metadata from the vector index.
  • Akamai says Apache patched Doris MCP on 2025-12-30, CVE assignment occurred on 2026-01-07, an MCP Pinot issue was opened on 2026-05-04, and Alibaba declined to patch the RDS MCP issue as of the disclosure timeline.
  • Recommended minimum practices include transport-layer authentication, server-side validation of all parameters, and least-privilege access from MCP servers to back-end systems.

Evidence Quality

Primary vendor security research with named researcher, affected-version statements, disclosure timeline, technical code excerpts, and a CVE reference for the Apache Doris issue. Some downstream patch-state details should still be verified against project advisories before operational enforcement.

Armorer Relevance

The source is directly relevant to Armorer because it shows MCP connectors are not just prompt surfaces; they are privileged service adapters whose implementation choices can expose databases and metadata. Armorer could use this pattern to justify checks for unauthenticated MCP transports, broad network binds, unsafe SQL-capable tool exposure, backend credential scope, and runtime monitoring around agent tool servers.

Follow-Up

  • Track Apache Doris MCP advisory and NVD metadata for CVE-2025-66335.
  • Track the MCP Pinot issue and whether authentication and query validation become mandatory defaults.
  • Track whether Alibaba or CERT/CC publish coordinated guidance for the RDS MCP metadata exposure.
  • Consider adding Armorer health checks for MCP servers that bind beyond localhost, expose HTTP/SSE without authentication, or hold database credentials with broad privileges.